International Conference on Computing, Mechanical and Electronics Engineering (ICCMEE'2015) July 9-10, 2015 Singapore
An Offline Transferable and Divisible Mobile
Coupon based on NFC
JiaNing Luo, and MingHour Yang

In 2009, Hsiang et al. [10] proposed a secure M-coupon
scheme that applies a quadratic residue theorem and hash
function and NFC as a channel for transactions. In 2012,
Sánchez-Silos et al. [14] proposed the WingBonus system,
which uses NFC-equipped mobile devices for accessing,
storing, managing, and redeeming mobile coupons. In 2010,
Hsueh et al. [11] proposed an M-coupon sharing protocol that
applies a word-of-mouth marketing strategy based on public
key infrastructure and digital signature. Through this protocol,
issuers generate original and recommended M-coupons to
M-coupon owners. In addition to using existing M-coupons,
owners can transfer the recommended M-coupons through
word of mouth to other users, thereby increasing M-coupon
usage.
Among various M-coupon solutions, several researchers
have not provided user identity protections [6], [9], [11], [17]–
[18] or coupon transfer functions [9]–[10].
To enhance coupon protection, an NFC-based M-coupon
scheme, which enables offline transfer and division functions,
was proposed. A PayWord-based dual hash chain was used for
providing the transfer and division functions. One-time
certificates issued by trusted third parties (TTPs) and SEs in
NFC cell phones were incorporated to support unlinkable,
offline transferable, and divisible M-coupons.
Abstract—Researchers have proposed integrating vouchers with
NFC-equipped cell phones. This study proposes an NFC-based offline
transferable and divisible coupon scheme. Users can transfer the
unused portions of M-coupons to other users. In this method,
PayWord’s dual hash chain was used for transferring and dividing
M-vouchers and adding trusted third party-issued one-time passwords
(One-time-certificate) and secure elements in the NFC cell phones to
provide unlinkable, offline transferable, and divisible M-coupons
functions. This scheme comprised the following features: 1)
unlinkability, 2) offline transferability, 3) divisibility, and 4)
redeemability. Using One-time-certificate, adversaries cannot trace
user identity from the coupon contents. By using one-time-certificate
obtained in advance through registration from trusted third parties,
users can transfer or redeem the M-coupons without connecting to the
issuers. When users have multiple vouchers, they may selectively
make partial transfers to other users. In addition, users may redeem
discounts using self-purchased or transferred coupons.
Keywords—Divisible, mobile coupon (M-coupon), near-field
communication (NFC), offline transfer, unlinkability.
I. INTRODUCTION
OUPONS [1] are vendors’ crucial advertisement and sales
instruments, which can be further divided into ordinary
coupons and vouchers [2]. Numerous researchers have
proposed mobile coupon (M-coupon) technologies that enable
coupon downloads on mobile devices [3]–[18]. Among these,
some used near-field communication (NFC), which is a
short-distance wireless communication technology [3], [7],
[9]–[10].
In 2006, Chang et al. [6] proposed an M-coupon system
using the symmetric encryption technique. In Chang’s system,
users can transfer M-coupons to other users, but coupon
transfers and redemptions must be processed through the
issuers. However, Chang’s protocol is a target of
man-in-the-middle attack; moreover, existing owners may
preferentially redeem their coupons during redemption
processes. In 2007, Dominikus et al. [9] proposed an
NFC-based M-coupon system. M-coupons can be obtained by
accessing NFC tags on posters or advertisements by using
NFC-equipped mobile devices. This protocol prevents forging,
double-spending, and tempering but does not include the
functions of user anonymity and coupon transferability and
traceability.
C
II. NEAR-FIELD COMMUNICATION-BASED OFFLINE
TRANSFERABLE AND DIVISIBLE MOBILE-COUPONS
The offline-transfer M-coupon scheme proposed in this
study was divided into four stages: 1) registration, 2) purchase,
3) transfer, and 4) authentication, as shown in Fig 1. First, all
users must obtain One-time-certificate for their cell phones
from TTPs and register. Next, users may purchase M-coupons
from issuers and download them to their cell phones.
Subsequently, users may make partial M-coupon transfers to
other users or redeem their coupons from vendors under offline
conditions. Finally, vendors authenticate the redeemed
M-coupons with the issuers. The systematic roles comprised
the following: TTPs are responsible for managing user lists.
Users and cell phone SEs are listed correspondingly, and
One-time-certificate are issued. Issuers are responsible for
distributing M-coupons to users. Vendors are responsible for
redeeming user’s M-coupons. Users refer to the owners and
users of NFC cell phones. SEs are secure storage spaces
provided in the cell phones used for encryptions and key
generations.
JiaNing Luo is with the Information and Telecommunications Engineering
department, Ming Chuan University, Taoyuan, Taiwan.
MingHour Yang was with the Information Computer Science department,
Chung Yuan Christian University, Taoyuan, Taiwan.
http://dx.doi.org/10.15242/IIE.E0715023
17
International Conference on Computing, Mechanical and Electronics Engineering (ICCMEE'2015) July 9-10, 2015 Singapore
each identification code and does not include the users’ and
SEs’ identity information. Finally, TTPs generate the hash
chain authentication values (𝑠 ) for the maximum permitted
coupons that authenticated users may transfer.
The detailed steps are described as follows:
Step 1: The key pair PKT1 and SKT1 is generated from the SE for
the one-time-certificate, communication key KS (shared
with TTPs), and random number Nonce1.
Step 2: The key SKA is used by the SE to encrypt user
identification IDA, one-time-certificate public key PKT1,
symmetric key KS, and random number Nonce1. SKT1 is
used to sign user identification IDA, communication key
KS, and random number Nonce1. The two messages are
subsequently combined to generate M2, which is sent to
the TTPs.
Step 3: After TTPs receive M2, CertT1 is generated and
comprises the one-time-certificate identification code
IDT1, one-time-certificate public key (PKT1), and time
limit of the One-time-certificate (TLT1).
Step 4: The TTPs then send CertT1 to the SE.
1. Registration
2. Purchase
3. Offline Transfer
4. Offline Redemption
TTP
NFC Phone A
1,2
2
User A
1,2,3,4
2
SEA
Issuer
3
4
NFC Phone B
User B
4
3
SEB
Merchant
Fig.1 Offline Transfer System Architecture
During initialization, TTPs, issuers, vendors, users, and SEs
each have a unique identification code (
,
,
, and
) and a set of asymmetric keys (
and
). In this study, the identities are assumed authenticated
between each role during connection processes and all
messages are transferred in secure channels. The symbols used
in this study are defined in Table 1.
𝑖
𝑖
𝐶𝑒𝑟𝑡𝑖
𝐶𝑒𝑟𝑡 𝑖
𝑖,
𝑖
𝑖,𝑗
𝑖𝑔𝑛(
𝑖 , 𝑀)
𝐸( 𝑖 , 𝑀)
( 𝑖 , 𝑀)
𝑁𝑜𝑛𝑐𝑒𝑎
𝐻()
𝐶𝑜𝑢𝑝𝑜𝑛𝑖
𝑁
𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔
𝐿𝑜𝑔𝑀
B. PURCHASE STAGE
At the purchase stage, users obtain M-coupons from issuers
and store them in the SEs of their cell phones. The detailed
procedure is specified as follows:
Step 1: User A encrypts IDT1, the number of M-coupons (n),
and 𝑁𝑜𝑛𝑐𝑒 using the key ( , ) shared with the issuer to
generate message 𝑀 , which is sent with CertT1 to the
i
s
s
u
e
r
.
Step 2: The issuer uses , and the decryption message 𝑀 to
generate 𝑁𝑜𝑛𝑐𝑒 . 𝑁𝑜𝑛𝑐𝑒 is then used to generate the
serial number SNT1 and payword wn. In addition, CouponT1
is generated and comprises the M-coupon serial number
SNT1, one-time-certificate identification code IDT1,
number of M-coupons n, and payword wn. Next,
is
used to encrypt CouponT1, 𝑁𝑜𝑛𝑐𝑒 , and 𝑁𝑜𝑛𝑐𝑒 to
generate and send 𝑀 to User A.
Step 3: User A uses the secret key of the user’s
one-time-certificate
, decryption message 𝑀 , and
authenticates 𝑁𝑜𝑛𝑐𝑒 . After using 𝑁𝑜𝑛𝑐𝑒 and
encrypting , , User A generates message 𝑀 , which is
sent to the issuer. Subsequently, the issuer uses , to
decrypt 𝑀 and authenticate 𝑁𝑜𝑛𝑐𝑒 .
TABLE I
NOTATIONS
the systematic roles; comprising the TTP, issuer,
vendor, user, and SE
the identification code of role i
the certification of role i
the one-time-certificate (one-time certificate) of
role i
the public and secret keys of role i
the stage key between role i and system j
the function of using role i’s secret key for signing
message M
the function of using role i’s key 𝑖 for encrypting
message M
the function of using role i’s key 𝑖 for decrypting
message M
random number a
symmetric key shared by SE and TTP
one-way hash function
dual signature
role i’s M-coupon
the serial number of the M-coupon
the transfer log of M-coupons
partial message in the M-coupon transfer log
C. OFFLINE TRANSFER STAGE
In the offline transfer stage, the original owners of the
M-coupons generate M-coupons for other users (or vendors)
according to the paywords and quantity-based hash chain
authentication values. These coupons can be passed on to
subsequent users. Through the one-way hash function, User A
generates new paywords for Users B and C by using unused
paywords and the hash chain authentication values for the
number of coupons currently transferred from authenticated
users to other users. Furthermore, User B can use the identical
method to generate new paywords to User D.
A. REGISTRATION STAGE
During registration, users register to bind user identifications
to cell phone SEs through TTPs and obtain a One-time
certificate. Users send request messages and personal
identification codes to SEs in which sets of keys and user–SE
binding signatures used for the certificate are generated.
Through mutually certified secure channels, the public keys
and signatures of certificate are sent to TTPs for registration to
confirm the current cell phone users. After registration, TTPs
generate and return the certificate (𝐶𝑒𝑟𝑡 ) to the cell phones.
This certificate comprises only one corresponding public key to
http://dx.doi.org/10.15242/IIE.E0715023
18
International Conference on Computing, Mechanical and Electronics Engineering (ICCMEE'2015) July 9-10, 2015 Singapore
Step 9: After receiving 𝑀 , User B uses
to decrypt 𝑀
and authenticate 𝑁𝑜𝑛𝑐𝑒 . User B then obtains 𝐿𝑜𝑔𝑀
from 𝐿𝑜𝑔𝑀 and hashes (one-way) the hashed 𝐿𝑜𝑔𝑀
and 𝑒𝑞𝑢𝑒𝑠𝑡 and authenticates whether the results match
.
D. OFFLINE REDEMPTION STAGE
At the offline redemption stage, vendors authenticate
M-coupons with issuers. The detailed steps are specified as
follows:
Step 1: The vendor sends 𝐶𝑜𝑢𝑝𝑜𝑛 and 𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔 to the
issuer.
Step 2: The issuer obtains 𝐿𝑜𝑔𝑀 from 𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔 , from
which 𝐿𝑜𝑔𝑀 can be derived. Subsequently, after
decryption using the key shared with User B ( , ), the
vendor’s authenticated identification code (
),
payword for the currently used numbers of coupons and
coupon transfers ( 𝑘 𝑗 ), payword for the currently used
numbers of coupons ( 𝑘 ), number of coupons currently
transferred to others ( ), and hash chain authentication
value for the number of coupons currently transferred to
others (𝑠𝑘 ) are hashed. Next, one-way hash is performed
with 𝐿𝑜𝑔𝑀 to authenticate whether the results match the
dual signature
.
Step 3: The issuer obtains 𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔 and 𝐿𝑜𝑔𝑀 from
𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔 and 𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔 , respectively, and
decrypts 𝐿𝑜𝑔𝑀 by using , . Next,
, 𝑘 𝑖, 𝑘, ,
and 𝑠𝑘 are hashed. One-way hash is then performed with
𝐿𝑜𝑔𝑀 to authenticate whether the results match
.
Step 4: In this step, the number of coupon transfers (𝑖 and ) are
verified to determine whether they exceed the number of
redemptions.
Fig. 2. Offline Redemption Architecture.
At the offline transfer stage, User A can divide and transfer
parts of the M-coupons to User B or redeem them from
vendors. The detailed steps are specified as follows:
Step 1: User A transfers the personal identification code
and 𝐶𝑒𝑟𝑡 to User B.
Step 2: User B generates the personal one-time-certificate
identification code
, number of M-coupon transfers
𝑖, 𝑁𝑜𝑛𝑐𝑒 , and 𝐶𝑒𝑟𝑡 to User A.
Step 3: User A generates 𝑁𝑜𝑛𝑐𝑒 , 𝑁𝑜𝑛𝑐𝑒 , and a new serial
number 𝑁 . In addition, User A adds the paywords for
the current number of coupons used and for the sum of
the current number of coupons used and transferred ( 𝑘
and 𝑘 𝑖 ) as well as the hash chain authentication value
for the current number of coupons transferred to others
(𝑠𝑘 ) through one-way hash to generate a new payword for
the previous number of coupons ( 𝑖 ). Subsequently,
User A uses the new serial number 𝑁 , User B’s
identification code
, number of coupon transfers 𝑖,
and new payword for the previous number of coupons 𝑖
to generate the new 𝐶𝑜𝑢𝑝𝑜𝑛 .
Step 4: User A uses
, 𝑘 𝑖 , 𝑘 , and the current number of
coupon transfers and the hash chain authentication
value thereof 𝑠𝑘 to generate message 𝐿𝑜𝑔𝑀 through
one-way hash. User A then computes the request message
𝑒𝑞𝑢𝑒𝑠𝑡 through one-way hash to generate message
𝐿𝑜𝑔𝑀 .
Step 5: User A hashes (one-way) and signs 𝐿𝑜𝑔𝑀 and 𝐿𝑜𝑔𝑀
to generate the dual signature
.
Step 6: User A uses , to encrypt
, 𝑘 𝑖 , 𝑘 , , 𝑠𝑘 , ,
and 𝐿𝑜𝑔𝑀 and generate message 𝐿𝑜𝑔𝑀 .
Step 7: User A uses 𝐿𝑜𝑔𝑀 , 𝐿𝑜𝑔𝑀 ,
, and 𝐶𝑒𝑟𝑡 to
generate message 𝐿𝑜𝑔𝑀 and then uses 𝑁 , 𝑁 , and
the signature for the newly hashed 𝐶𝑜𝑢𝑝𝑜𝑛 to generate
𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔 .
Step 8: User A uses users’ public key
to encrypt
𝐶𝑜𝑢𝑝𝑜𝑛 , 𝑇𝑟𝑎𝑛𝑠𝑓𝑒𝑟𝐿𝑜𝑔 , 𝑁𝑜𝑛𝑐𝑒 , and calculated
𝑁𝑜𝑛𝑐𝑒 (𝑁𝑜𝑛𝑐𝑒 ) to generate and send 𝑀 to User B.
http://dx.doi.org/10.15242/IIE.E0715023
III. SECURITY ANALYSIS
This section presents an analysis of the security of the
proposed method.
Unlinkability: At the purchase and transfer and redemption
stages,
users
purchase
M-coupons
by
using
One-time-certificate, which comprise only one-time-certificate
identification codes and public keys and exclude user and SE
identity information. Therefore, adversaries cannot trace user
identities from coupon contents.
Offline transferability: Both transaction parties use the SEs
in NFC through TTP-issued one-time-certificate secret keys to
generate new M-coupons. Therefore, coupon owners can
authenticate and transfer coupons through One-time-certificate
under offline conditions.
Divisibility: During the offline transfer stage, users use
paywords and s_k to generate new paywords and use dual
signatures to enable issuers to trace the sources of coupon
transfers.
Verifiability: At the purchase stage and online transfer and
redemption stage, coupon issuance requires the signing of
issuers. Therefore, anyone can authenticate the legitimacy of
M-coupons. During offline transfer and redemption, the
original coupon owners use secret keys for signing and issuing
M-coupons, which are legitimized through one-time-certificate
authentication.
19
International Conference on Computing, Mechanical and Electronics Engineering (ICCMEE'2015) July 9-10, 2015 Singapore
Forgery prevention: During the purchase stage and online
coupon transfer and redemption stages, issuers have the only
secret keys to sign and issue M-coupons. Therefore,
M-coupons cannot be forged. In offline transfer and
redemption, M-coupons are issued by the original coupon
owners, who own the only secret keys to one-time signatures
and coupon issuance. Therefore, M-coupons cannot be forged
under offline conditions either.
Double-spending prevention: During the online transfer and
redemption stages, the processes must be completed through
the issuers; therefore, issuers may prevent transferrers and
redeemers from double-spending. Under offline conditions,
coupon transfers and redemption bypass the issuers, but new
M-coupons must be signed through One-time-certificate.
Double-spending can be identified when reconnected to
issuers.
Tempering: During the purchase stage, issuers determine
whether the purchase-related information message digests and
order-related information hash values agree with the dual
signatures, and TTPs determines whether the purchase-related
information hash values and order-related information message
digests agree with the dual signatures. Tempered information is
deemed to fail in this verification process. In coupon transfer
and redemption, M-coupons are signed through the issuers or
user One-time-certificate; therefore, coupon tempering can be
verified.
Nonrepudiation: Both parties during coupon transfers have
records of one-time-certificate exchanges; therefore, they
cannot deny actions performed in previous transactions.
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
III. CONCLUSION
[12]
In this study, a PayWord-based dual hash chain was
integrated with NFC-equipped mobile devices to provide a
scheme capable of making offline transfers and dividing
M-coupons. NFC exhibits the convenience of data transfer
through touch-interaction of NFC-equipped devices. By using
these devices, users may purchase M-coupons from issuers and
redeem coupons from vendors. Moreover, they may fully or
partially transfer their M-coupons to other users.
In this method, users purchase, redeem, and transfer
M-coupons by using OTPs obtained from TTPs, who have
strict access to the user identities, thereby achieving
unlinkability. The application of this method was based on
PayWord’s dual hash chain. In addition, SEs from NFC cell
phones were added to provide the transferability and
divisibility of M-coupons. When disputes occur during
transaction processes, exchange records can be traced through
TTPs, thereby reinforcing nonrepudiation.
This method stimulates the willingness of consumers to
consume by using M-coupons and promotes issuers’ and
vendors’ increased revenues, thereby providing mutually
beneficial effects.
[13]
[14]
[15]
[16]
[17]
[18]
[19]
REFERENCES
[1]
[2]
M. Kumar, A. Rangachari, A. Jhingran, and R. Mohan, “Sales promotions
on the internet,” 3rd USENIX workshop on Electronic Commerce, Boston,
pp. 167-176, 1998.
F. Borrego-Jaraba, P. C. Garrido, G. C. García, I. L. Ruiz, and M. Á.
Gómez-Nieto, “A Ubiquitous NFC Solution for the Development of
Tailored Marketing Strategies Based on Discount Vouchers and Loyalty
http://dx.doi.org/10.15242/IIE.E0715023
[20]
20
Cards,” in Sensors, Vol. 13(5), pp. 6334-6354, 2013.
M. Aigner, S. Dominikus, and M. Feldhofer, “A System of Secure Virtual
Coupons Using NFC Technology,” 5th Annual IEEE International
Conference on Pervasive Computing and Communications Workshops,
pp. 362-366, 2007.
http://dx.doi.org/10.1109/percomw.2007.15
A. Alshehri, J. A. Briffa, S. Schneider, and S. Wesemeyer, “Formal
security analysis of NFC M-coupon protocols using Casper/FDR,” 5th
International Workshop on Near Field Communication (NFC), pp. 1-6,
2013.
http://dx.doi.org/10.1109/nfc.2013.6482439
F. Armknecht, A. N. E. B., H. Löhr, M. Manulis, and A.-R. Sadeghi,
“Secure Multi-Coupons for Federated Environments: Privacy-Preserving
and Customer-Friendly,” in Information Security Practice and
Experience, L. Chen, Y. Mu, and W. Susilo, Editors, Springer Berlin
Heidelberg, pp. 29-44, 2008.
C. C. Chang, C. C. Wu, and I. C. Lin, “A Secure E-coupon System for
Mobile Users,” in International Journal of Computer Science and
Network Security, Vol. 6(1), pp. 273-279, 2006.
[7] H.-C. Cheng, J.-W. Chen, T.-Y. Chi, and P.-H. Chen, “A generic model
for NFC-based mobile commerce,” 11th International Conference on
Advanced Communication Technology, pp. 2009-2014, 2009.
[8] G. V. Damme, K. M. Wouters, H. Karahan, and B. Preneel, “Offline
NFC payments with electronic vouchers,” in Proceedings of the 1st ACM
workshop on Networking, systems, and applications for mobile handhelds
pp. 25-30, 2009.
[9] S. Dominikus and M. Aigner, “mCoupons: An Application for Near
Field Communication (NFC),” 21st International Conference on
Advanced Information Networking and Applications Workshops, pp.
421-428, 2007.
[10] H.-C. Hsiang, H.-C. Kuo, and W.-K. Shih, “A secure mCoupon
scheme using near field communication,” in International Journal of
Innovative Computing, Information and Control, Vol. 5(11 (A)), pp.
3901-3909, 2009.
S.-C. Hsueh and J.-M. Chen, “Sharing secure m-coupons for
peer-generated targeting via eWOM communications,” in Electronic
Commerce Research and Applications, Vol. 9(4), pp. 283-293, 2010.
http://dx.doi.org/10.1016/j.elerap.2010.01.002
A. P. Isern-Deya, M. F. Hinarejos, J.-L. Ferrer-Gomila, and M.
Payeras-Capellà, “A Secure Multicoupon Solution for Multi-vendor
Scenarios,” IEEE 10th International Conference on Trust, Security and
Privacy in Computing and Communications (TrustCom), pp. 655-663,
2011.
H. Meng and D. Zhang, “Research on the digital coupon of mobile
two-dimensional code based on RSA digital signature,” Second
International Conference on Computational Intelligence and Natural
Computing Proceedings (CINC), pp. 368-371, 2010.
J. J. Sánchez-Silos, F. J. Velasco-Arjona, I. L. Ruiz, and M. Á.
Gómez-Nieto, “An NFC-Based Solution for Discount and Loyalty
Mobile Coupons,” 4th International Workshop on Near Field
Communication (NFC), pp. 45-50, 2012.
L. Xin and X. Qiu-liang, “Practical compact multi-coupon systems,”
IEEE International Conference on Intelligent Computing and Intelligent
Systems, pp. 211-216, 2009.
B. Zhang, J. Teng, X. Bai, Z. Yang, and D. Xuan, “P 3-coupon: A
probabilistic system for Prompt and Privacy-preserving electronic coupon
distribution,” IEEE International Conference on Pervasive Computing
and Communications (PerCom), pp. 93-101, 2011.
http://dx.doi.org/10.1109/PERCOM.2011.5767599
C. -K. Chang, “An Improved E-Coupon Scheme and Its Extension to
E-Gift Certificate,” Master’s Thesis, Department of Information
Engineering and Computer Science, Feng Chia University, Taichung,
Taiwan, 2007.
Y. -J. Lai, “Transferable Valued Coupon for Mobile Applications,”
Master’s Thesis, Department of Information Management, National
Taiwan University of Science and Technology, Taipei, Taiwan, 2012.
R. Rivest and A. Shamir, “PayWord and MicroMint: Two simple
micropayment schemes,” in Security Protocols, M. Lomas, Editor,
Springer Berlin Heidelberg, pp. 69-87, 1997.
K. Sunhyoung and L. Wonjun, “A pay word-based micropayment
protocol supporting multiple payments,” The 12th International
Conference on Computer Communications and Networks, pp. 609-612,
2003.
http://dx.doi.org/10.1109/icccn.2003.1284234